Bug Report - Personal Access Tokens

eadderley-tc · December 9, 2020, 12:16am

Hey, hope this is the right place or that I can directed to the right place. We think we’ve just discovered a bug that affects account permissions on personal access tokens. When editing an existing token’s permissions, specifically adding write:packages permissions, repo permissions are revoked on Update. Note that only this specific interaction causes this. It appears that you can re-apply repo permissions on a subsequent update without issue, but I figure the revocation is not intended functionality.

So, workflow:
Settings > Developer Settings > Personal access token
Note $yourToken’s permissions in italics. repo should be present
Click on $yourToken, add write:packages , Update token.
Note $yourToken’s permissions in italics. repo is now missing and write:packages is present
Click on $yourToken again, re-add repo , Update token.
Note $yourToken’s permissions in italics. It should read repo, write:packages

zsoobhan-tc · December 14, 2020, 11:44am

We have come across a similar issue with Personal Access Tokens and the write:packages permission. If you perform the authentication process with docker login and use a newly created token, the authentication process returns as successful but docker pull is denied.

Workflow:

Create a new token with write:packages at the github tokens page
Copy the token to your clipboard
in a shell run, docker login https://docker.pkg.github.com -u GITHUBUSERNAME and paste in the token
in the same shell do a docker pull docker pull docker.pkg.github.com/OWNER/REPO/KNOWN_EXISTING_IMAGE:KNOWN_TAG

The following error appears:

Error response from daemon: unauthorized: Your request could not be authenticated
by the GitHub Packages service.  Please ensure your access token is valid and has
the appropriate scopes configured.

To remedy this, the following works:

Go back to the github tokens page
open the SAME token up and click on Regenerate Token
in a shell, docker logout https://docker.pkg.github.com
in a shell, docker login https://docker.pkg.github.com -u GITHUBUSERNAME
use the NEW token as the password
in a shell docker pull docker pull docker.pkg.github.com/OWNER/REPO/KNOWN_EXISTING_IMAGE:KNOWN_TAG

n.b. It is important that you regenerate the same token otherwise this does not work with a brand new token.

whitneyimura · December 16, 2020, 12:07am

Hi @eadderley-tc - Thank you for reporting this bug. It certainly isn’t the intended behavior. I’ve created an issue on our side to fix.

fatihyildizhan · June 3, 2021, 5:20pm

Hi @zsoobhan-tc and @whitneyimura ,

I have the same problem. I am only able to push. When I try to pull it I am getting this error:

Error response from daemon: unauthorized: Your request could not be authenticated
by the GitHub Packages service.  Please ensure your access token is valid and has
the appropriate scopes configured.

I couldn’t regenerate the token with the existing one. How can I solve it? Thank you.